The project actually consists of six programs and one patch for snort:
The patch and programs of FLoP
This patch adds an output plugin to write the alerts via an unix domain socket[1]
This program generates the unix domain socket to which snort can write the alerts. The received alerts are buffered and transmitted to a central server running servsock.
On the central server all alerts from all remote sensors are collected and written to a database. Additionally alerts with high priority can be written to an unix domain socket where another program receives these alerts and send them via email to a list of predefined recipients.
Alerts received via an unix domain socket are collected and send to a list of recipients.
If too many alerts are buffered a memory shortage can arise. To avoid this a low and high water mark can be set. If more than high water alerts are in the buffer as many alerts are dropped to an unix domain socket until the low water mark is reached. This program collects these alerts and sends them via email to a list of recipients or prints them to stdout if sending of an email fails.
There is a possibility to store additonal information about the captured network packets in the database. If these informations are available then this program can rebuild a pcap file consisting of the original captured network packet. This file can be used with programs like tcpdump or ethereal. To use this feature the database scheme has to be extended. See README.database for more informations on this topic.
This False-Positive-Generator takes a snort configuration file and creates for nearly each rule a network packet able to raise an alert. This program is useful for performance and stress tests of the whole chain starting with snort and ending at the database.
The next sections explain all these programs, how they work and how they can be configured.
| [1] | All used unix domain sockets are of type datagram to avoid blocking if one process creating the socket is not available. |